Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm lead advisor, senior analyst with KuppingerCole. This again is a special episode of this KuppingerCole Analyst Chat, because we are still at EIC in Munich. It's September, 2021 and we are catching up on topics that we think are of importance for this event and for the future for our audience. At least we hope so. I guess again is Martin Kuppinger. He is the principal analyst and the founder of KuppingerCole. Hi Martin.
Hi Matthias. One of the founders, one of the founders.
Sorry for that. Yeah, we, we want to continue the discussion that we started in an earlier episode, where we talked about standards, about organization, about identities and their processes coming together, joining together in the, on the other side, being deconstructed, being separated into different aspects of this user journey of this identity journey. And we want to continue with a concept of a triangle that really shows different dimensions of these processes and this deconstruction of identity processes. Can you explain where to where we start?
Yeah, I think there's also kicked off in some of the conversations we had at a conference and earlier it started around passwordless authentication, which is a topic that is very prominent these days and what pestle bed lessons, et cetera, we'll discuss in a minute. But basically the point is that passwordless authentication if you do it right, combines security and convenience. And this is very, very different from balancing security and convenience. Combining is booze can go up. Balancing is if you go up with one, the other goes down or the other way, right? So the trade-off for more security is less convenience. The trade-off for more convenience is less security. This is balancing combining expose, and passwordless authentication does. The coolest thing is about combining. So you can achieve a higher level of security with a higher level of convenience, but so you have to have security and VF convenience, and then there's the trust. So we then maybe as the provider might say, we know that it's more secure, but that's the customer, or to use a trust that is more secure because the experience be, oh, this is super simple. That can't be secure. So we need to look at this triangle also sort of make clear that this is really the better way to do it.
Yeah. At first sight, this is counter intuitive because we've been telling people that username password is insecure, but this is more than password, less for the user experience. So they really have to take a step back and really unknowable. We need to convey the message that this is really more secure. So we are life this trust, where does this come from?
I think the cross comes from, in some ways it comes from experience. It comes from education. It comes from also explaining a little end. And I think there's so much, which is not well understood about passwordless authentication. So, but it's sometimes it's relatively easy to understand and to explain, I think the most important thing is in passwordless authentication. There's no password that travels. So there's nothing like a password that goes from the clients device or the customers to users, the wives to the server. There's nothing like a database of 10 million passwords or password hashes and hopefully password hashes, at least. And that trust takes passwords stored on a server that is not happening in password, less authentication anymore. But it is that you have element on your device, a trusted platform, what you'll TPM chip or a secure inked Lavi, which stores secrets and the secrets are created when you registered the device.
So you have a device like a smartphone or a notebook, and you registered this device and map it, link it to you, your identity. And then on the device, there is some cryptographic key storage, which is then used for you also indication. And if you're able to unlock the device using typically some biometrics, then you are allowed to, or you can authenticate and then trust this cryptographic information is used. There's no passport traveling anymore. There's no password database Gil. If you would use trust the password to unlock your device, nothing, that's encrypted, nothing biometric. Then it wouldn't be really password less even while the password doesn't travel. So I think we need to look at both those aspects. The interesting thing is if you have that, then you have. So when we go to the entire authentication, we have always just three types of factors, what we know who we are and what we possess and password less boots on possession to DYS with this secure trip on it, which is routinely impossible to crack. So no, no one incident so far would it require extreme effort and it's about the biometrics. So what the person has, then we have two very strong factors combined, which are very easy to use, maybe a side of face recognition in the, in the age of wearing face masks, then face recognition. Isn't the best biometric as a, but this is really what happens here,
Right? So the security, as you said, is based on the content of the secure enclave of this TPM. That means as long as I do own this device, as long as I have it there, and I can unlock the formerly trained TPM, secure enclave, this will be actually my authenticator that will make sure that I can unlock the key mechanisms to encrypt the communication towards the services. And this is actually the passwordless authentication. So that would explain for many who are usually always buying the newest Android phone, newest iPhone, they have to retrain, they will have to go through this process again and again, and re registers their devices, right?
It is I think two parts of reregistration. So if you, if you have a device and replace it by another device, you have to reregister. If you use the device for service a and service B, you also need to create the pair of cryptocurrency keys. So it is this device registrations thing we have, sometimes it is then that you have one provider which then access the IDP to address the identity provider squatters. Then, then it's less a lesser registration. So this is what, what frequently happens to that. You don't have too many of these registration steps, but it's part of what you have to do. And that's part of the good thing is, and I think this is where really the trust can come from. We had this discussion just yesterday about, yeah, but what happens if someone steals the sort of the biometric information about my face?
The good thing is that information is on the TPM trip locally, literally impossible to crack. And it's not this 70 million record of passwords database somewhere at a large company, which can be hacked where data can leak, which then appears in the dark net, which can be purchased. This is exactly not was this happening here? You've never heard about 70 million records of data points for faces, correct? Leaked stolen. This will not happen because it doesn't exist that way. It doesn't work that way. And this is where we get rid of a huge risk. We have experienced. So, so frequently over the past decades already at, at, I need to say, this is what really is a change. And this is why we can dress more. As we need to trust in the TPM trip, the in Klavan. And we pay in some way, a prize of creating these links between the device and the services where we authenticate.
This is something we need to do, which by the way, it brings one interesting problem or challenge that is if we have many devices or if we afford it, we are in business travel or whatever entered phone or iPhone or false to the Flores crashes. We need a new phone. Then we have to re create these connections. It's not trust powered on and everything is working again. Right? So a little bit like, like when you, when you trust, bring in a new windows, computer and login with your Microsoft ID, where a lot of respect this alone does that, by the way, you also don't need to, to, to verify this device again, if you bring up your next windows computer because of windows, hello, and the way it obligates was always goes into password less, it's the same. You also need to then create this link you need to create.
We don't see that this is a pair of cryptocurrency keys, but you need to create it. It's the same thing, which is happening. And, and so, so we need to figure out ways how so I think we will not get rid of this link, the device to purchase the device. That is what we need to do, but we need to ensure that we can do that and then still get all the other things we had on RDUs back as easy as we can. For instance, when we are traveling abroad, we need to change our phone and we might still need a COVID path. How can we do that? That's not, these are things we solve, but they are independent of the arthropod, right?
As you said, when we need to bootstrap a new device at that point in time, we do need some other credentials as well. We will need at least something like a password or another third factor to being able to reregister our fingerprint our face with, with this mechanism, to make sure that we add this level of security, because your face, my face, my fingerprint, these are not
Secrets. No, and they are not stored centrally also that's the other side of the thing. And so there's nothing where we can say, okay, we have it, we compare it with everything we know about Mathias and his face on a central server. We need to redo it. That's part of part of it. But that is I think also, which can help us over time creating the trust that because these things don't travel, you have to do that step the next time again, because trust doesn't travel. And this is, this is really a sink and an interesting thing. And part of what's interesting clearly needs to do is to educate about the trust part, because the convenience part you can achieve is very visible. And I think many of us experienced it already day by day by day, because it's not about always entering usernames and passwords. And it's really a different thing. And the security is definitely higher trusting about a 17 million passwords not being stolen because they don't exist anymore. These databases. And that's really where we need to move on.
Right? In the early episode, we discussed about this game network, where we have verified identities, strongly verified identities, but that does not mean that we cannot have this type of convenience as well. By, by linking, for example, my Android account, my iPhone, my apple account to this verified identity. We can have both the best of both worlds. We have the high level of assurance and we can,
I think there were some misconception you're not linking your apple account, you're linking your iPhone. Exactly. And I think this is a very important, you'd have to linking your apple account, your link, linking some Google account on your Android phone. What you're linking is the device
Exactly but represented through because it's connected to the guys, be careful. You're authenticated is the device. That's, that's the point.
And what really works very intensively. The background usually is the of Fido Alliance standards, by the way, standards we've we've gave an award to a couple of years ago, exactly. Already at a European identity conference. That's one of the most essential standards and it has proven true some auto scientists, by the way, also evolved here, open ID connect. If I remember right. Sort of the first steps have been made at our conference a couple of years ago. So yes, there are important standards. This is what makes it work. And so yes, we are at the point where we can combine security and convenience and we need to build the trust. And that I think a lot of people trust it, but we easily can, if you do it right, I think we can easily explain why that can be a high trust on that. And I always start with saying, Hey, there's not this 70 million password database, which kind of
Right. So the next step, whom to educate other service providers, to make sure that they benefit from these new, highly trusted frameworks and get rid of their 70 million username, password databases and move towards a more, yeah. More secure, more resilient and, and just more convenient platform for doing authentication,
Which goes down back to saying, okay, I also can use, maybe I continue for a while in my username, password access, not to be too disruptive to my, my, my users, but I add outer outer options to that. I allowed to come in with LinkedIn, Google, which have some form of two factor already, which are shifting that way. So relying on others, there are various ways to do it and we can proceed that way. So yeah.
Let's look forward. Yeah, absolutely. So again, this is a great summer. We, we, as analysts, we can only recommend, we can only educate, we can hopefully identify the right standards as you said to, to, to, to help in things evolving in the right direction. At least what we consider to be the right direction. But it's great to see things coming together, just like we do here at EIC 2021. So thank you again, Martin, for being my guest today and really looking forward to what will be happening the next two days here. So yeah. Thanks for being here. Thank you.